Operations
6/15/2016
11:30 AM
Chris Veltsos
Chris Veltsos
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

What CISOs Need to Tell The Board About Cyber Risk

To avoid devastating financial losses, boards and the C-suite must have a deep understating of the cyber risks their organizations' face. Here's what they need to hear from the security team



There should be little doubt about cybersecurity’s importance in 2016 given the amount of attention the topic has garnered in the past decade. Board directors and top leadership are under pressure from all sides: from federal and state regulators, from business partners seeking to tackle third-party vendor cyber risks, and from shareholders and their class-action lawyers ready to sue the moment a breach is announced.

The SEC’s leadership has been crystal clear about the responsibilities of board directors for proper cybersecurity governance. In his 2015 ABSPE speech, SEC Commissioner Luis A. Aguilar put it very clearly: “In the end, boards have a fiduciary responsibility to ensure that they possess the necessary skills, experience, and judgment to be competent stewards of their companies.”

In 2014, at the New York Stock Exchange on June 10, 2014, Aguilar had also declared that “board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues.”

For those still needing convincing, “Chapter 8: The risks to boards of directors and board member obligations” of the New York Stock Exchange’s book, “Navigating the Digital Age,” contains dire warnings for directors about their obligations and responsibilities for adequate governance of cybersecurity risks.

Board directors have a fiduciary responsibility for cybersecurity. So the question is no longer whether board directors should do something about cyber risks, but instead what should board directors do to not only show that they are governing in this area, but also demonstrate that they are making the most effective decisions to ensure that cybersecurity risks are within acceptable levels.

Check out the Black Hat CISO Summit Aug 2 at the fabulous Mandalay Bay in Las Vegas. Click for more information on the conference schedule and to register.

How are board directors supposed to make the best possible decisions about cyber risks when the information they receive is full of technobabble about attacks, firewalls, malware, and the like? How are board directors to be adequately prepared, to have adequate deliberations, and adequate engagement on cybersecurity issues if the information reported to them doesn’t translate into the business impact of various risks? How can they make use of a subjective top-5 or top-10 list of cyber risks the organization is currently facing, or worse, a laundry list of color-coded controls that belongs in a risk register better suited for auditors?

Are Cyber Risks Adequately Reported?

If oversight of cybersecurity risks has become a strategic business issue, how are board directors supposed to oversee this issue if it isn’t translated and related to areas of the business? As a Deloitte report on risk puts it, “Is my Risk team giving me the confidence I need to make high-stakes decisions?” Based on a recent report by BayDynamics, the reality on the ground is far from that goal. The report found that “only two in five IT and security executives agree or strongly agree that the information they provide to the board contains actionable information. As a result, only 29 percent of respondents believe they get the support they need from their boards.”

Risks, Quantified

A quantitative approach to measuring and reporting cybersecurity risks can empower the board and top management to make well-informed cyber risk decisions. By relying on cyber risk data in financial terms, boards can ensure that they are properly informed and understand cyber risks, and thus ensure that the organization is making cost-effective decisions regarding its handling of cyber risks. In other words, board directors, armed with quantified cyber risk data, can make a strong statement about their oversight of this critical domain.

While this concept is relatively new in the cyber area, financial institutions and insurers have relied on risk quantification for decades. Using “Value at Risk” (VaR) to measure cyber risks is a concept whose time has come. In 2015, the World Economic Forum (WEF) released a special report entitled “Partnering for Cyber Resilience — Towards the Quantification of Cyber Threats.” In the report, the WEF describes that cyber value-at-risk models are “characterized by generic applicability across industries, scalability, ease of interpretation and ability to support executives’ investment and risk management decisions. Building the complete cyber value-at-risk model and having a comprehensive outlook on the organization’s assets under threat, organizations can also make decisions with regard to the appropriate amounts of investments in security systems.”

Similarly, Deloitte, in its CIO Journal section of the Wall Street Journal blog, writes that “cyber value-at-risk ultimately seeks to help them make more informed, confident decisions about their organizations’ risk tolerances and thresholds, cyber security investments, and other risk mitigation and transfer strategies.”

A standard cyber Value at Risk model has since emerged (FAIR). To ensure that board directors are provided with actionable data about cyber risks, organizations should look for a quantified cyber risk solution that can:

  • Quantify cyber risk in financial terms
  • Understand where cyber risks are concentrated to be able to quickly focus on high risk areas
  • Assist the organization in prioritizing areas where cyber risks can be quickly reduced
  • Visualize the impact of cybersecurity initiatives (amount of risk reduced/shifted, impact on exposure surface)
  • Assess the efficacy of cyber risk programs by comparing to previous time frames (last quarter,versus last year)

Such a platform would provide board directors with the necessary skills, experience, and judgment to be competent stewards of their organizations’ cyber risks. This would also ensure that boards, together with management, can properly prepare for, properly debate, and properly engage on cybersecurity risks. Ultimately, it would give board directors the confidence they need to make the high-stakes cyber risk decisions that are so critical to the business today.

Related Content:

 

 

 

 

 

 

Chris, aka Dr.InfoSec, is passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people. Whether performing information security risk assessments, working alongside CIOs & CISOs ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
BobChaput
50%
50%
BobChaput,
User Rank: Apprentice
6/19/2016 | 9:34:26 AM
Very well done - What CISOs Need to Tell The Board About Cyber Risk
Chris, we share the same passion about cyber risk management.  You did a great job with this article; thank you for your insights.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.